What can chaos provide to cryptography?

Question

Chaos-based cryptography is facing a lot of criticism, however, some people argue that it can provide many cryptographic primitives, such as stream ciphers, block ciphers, hash functions, public-key ciphers.

Leaving aside all the defects of the application chaos in cryptography, is not chaos at most is a pseudo-random generator which could be used for stream ciphers (if this even possible)?

Note: I am wandering why some people think it is suitable for many cryptographical primitives.

[Edit] in other words: Is it feasible to build a whole branch of cryptography on a family of pseudo-random sources Such as LFSR?

Or

For example, for the block ciphers is not the chaos just may be used for generation of random sequence which is separated for our construction of the cipher which we built to be stream or block cipher?

Or

Some author says that chaos is suitable for prng, but it failed to provide a approved cryptographic primitives. Is not chaos role in the proposed cipher merely a prng?

Answer 1

Is it feasible to build a whole branch of cryptography on a family of pseudo-random sources?

In theory, yes. If there was an efficient and Cryptographically Secure Pseudo Random Number Generator built from a chaotic system, then that could serve as the foundation of reasonably practical symmetric cryptography, and even signature.

Problem is we know no such thing. PRNGs built from a chaotic system, and having an even mildly convincing security argument¹, pale in efficiency compared to a modern CSPRNG² (unless we extend the definition of "chaotic system" well beyond the usual iterated continuous functions over $\mathbb R$, or discrete approximations thereof).

---

A (Cryptographically Secure) Pseudo Random Number Generator, in it's modern definition, is a powerful-enough tool to build all the other symmetric cryptography functionalities: CPA and CCA(2)-secure cipher, block cipher, Message Authentication Code, authenticated encryption, hash… Some examples:

• A cipher can be constructed from a (CS)PRNG by using the key and a truly random random IV to seed the PRNG, and constructing the ciphertext by XOR of the PRNG's output with the plaintext³. The security directly follows from that of the PRNG, and that's such a good and common way to construct a cipher that it has a name: stream cipher.
• A block cipher can be constructed from a PRNG as a Feistel cipher, by using the PRNG to construct the round functions. The key, round number, and right half of the block seed the PRNG, which output is the value to XOR with the left half.

These constructions are demonstrably cryptographically secure if the PRNG is. But with the exception of stream ciphers, they are not used in practice, primarily for efficiency reasons. Common CSPRNG are constructed from block ciphers or/and hashes, rather than the other way around.

---

Is it feasible to build public key crypto primitives from PRNG?

Yes for signature. We can build secure hash from secure PRNG, then secure signature from hash, by various approaches, including SPHINCS. By this route, any efficient PRNG leads to a plausible signature scheme.

For encryption and key exchange, I doubt that a method with a security proof or even a convincing argument is known. I stand unconvinced by attempts to build asymmetric encryption from continuous chaotics systems by more direct routes⁴.

---

¹ We can't ask for a proof in the mathematical sense, since we have no such proof of security for any CPRNG. But we do not want to accept as security argument the fact of passing a predefined randomness test, such as NIST SP800-22rev1a or dieharder. An experimental test should be at least: impossibility for skilled human cryptographers knowing the design of the PRNG, assisted by classical computers, to distinguish from true randomness the output of the PRNG seeded with true randomness. And we'd want to extend that to such impossibility starting with a minimum value of some parameter(s) of the PRNG, like state size or/and number of rounds, with the actually used parameter(s) set comfortably larger.

² Such as the one derived from ChaCha by considering the key and IV to be the seed, and all-zero plaintext.

³ Decryption is similar with plaintext and ciphertext exchanged, except that encryption draws the IV and makes it a preamble of the ciphertext, while decryption extracts the IV from the preamble.

⁴ One such attempt (paywalled) uses Chebyshev polynomials $T_r$ of large degree $r$. A private key is $r$, the matching public key is $T_r(x)$ for some public fixed randomly-chosen real $x\in[-1,1]$. For any integer $s>0$ it holds $T_r(T_s(x))=T_s(T_r(x))$ and (ignoring issues of how that's computed) that allows an analog of Diffie-Hellman key exchange, and from that ElGamal encryption. When I first read it, I stood unconvinced by the argumentation-free assertion of security, as well as by some aspects of feasibility (e.g. that with 2048 bits of precision for real values, the integers $r$ and $s$ can be chosen as random 910-bit integers, rather than as product of primes at most 133 as in the article).
Update: The cryptosystem was found to be insecure, see this article (paywalled). It's still presented in this chapter on Public-Key Cryptography (paywalled) in a much later book on Chaos-Based Cryptography (paywalled), with acknowledgement of insecurity. I find it telling of the state of that whole academic field. And that's at it's best: most claims of security, made with comparably weak arguments, are never seriously investigated and proven wrong.

Answer 2

I am wondering why some people think it is suitable for many cryptographical primitives

Well, I'm not one of those 'some people', however I will give you my perspective.

One of the good properties we like in our cryptosystems in 'avalanche'; that is, a small change somewhere ripples throughout the system. I expect that 'some people' take notice of this and say "hey, that's exactly what chaos is".

At first glance, this has some plausibility; however:

• Chaos is not the only way to achieve this. This 'avalanche' affect is a deliberately designed property of (most) symmetric cryptosystems. For example, with AES, a one-bit change anywhere in the state will modify all 16 bytes two rounds later.

• It's also unclear whether the chaos property of 'small changes usually avalanche everywhere' is actually sufficient. For one, we need to ensure that all such changes have this avalanche property; we would need to show that there are no nooks anywhere where changes don't propagate as fast as well expect, and that changes that would be considered large by the chaos infrastructure (e.g. changes to the msbits of the state) are also propagated.

• Chaos is usually defined in terms of real numbers; when we do cryptography, we deal with values with finite precision. It is unclear (at least to me) whether translating from reals to some finite realm necessarily preserves the properties we were hoping for.

Finally, it all comes down to performance. Actually, it is not that difficult to design a secure symmetric cipher (as Ron Rivest pointed out, a thousand rounds of just about anything (nontrivial [1]) is usually secure); we also need to perform reasonably well. The obvious final objection would be 'do these chaos-based ciphers perform competitively compared to more traditional ciphers, while maintaining security?'

---

[1]: Ron didn't specify nontrivial in his observation, obviously, there are round functions that are perfectly linear or with no right-ward propagation; I've seen amateur cipher designs with these properties, and obviously 1000 rounds won't help you in those cases...

Answer 3

Apparently chaotic behavior is necessary but insufficient for cryptography. It's a result of cryptographic security, not a cause. Some people invert causation, and think that anything displaying chaotic behavior is suitable for cryptography. I don't know why some people make this mistake, and it's not unique to cryptography.

Lorenz's definition of chaos: "When the present determines the future, but the approximate present does not approximately determine the future".

For computer cryptographic systems operating entirely on bits, we don't have the issue of imprecise measurements that lead to the limit to only have the "approximate present" that physical chaotic systems have.

Practical encryption systems do display chaotic behavior, but they also have other properties. Shannon's concepts of Confusion and Diffusion create the sensitive dependence on initial conditions for the ciphertext from both the plaintext and the key. They also ensure the transformation isn't invertible, which a simple chaotic system may not do.

The one place chaotic oscillators get used a lot is in hardware random number generators. These are often composed of several ring oscillators sampled at different independent clock frequencies, which leads to jitter in the sample values. That jitter means the measurements of the oscillators are only an approximation of their complete state, so it's effectively impossible to determine the future state from a present measurement. Likewise some use avalanche diode noise, which is a quantum-mechanical effect at its core. Since we can't ever know the complete state of a quantum system (if it even exists) these also exhibit the "approximate present" property.

Answer 4

Chaotic systems are deterministic, so their trajectories can be replicated, this is useful for symmetric encryption. In state of the art chaotic encryption, discrete time systems are used. This systems do not require numerical integration techniques to solve, they are simple iterative formulas. This means they can be implemented using simple for loops. In discrete time, chaos can be achieved at an extremely low computational cost, and with low memory. So chaotic encryption designs mainly use discrete time chaotic maps, 1d or 2d. So the main 2 pros is determinism, and low computational, energy, and memory cost. So once you have a low cost source of high entropy, you can use the output chaotic time series, to perform the standard actions of permutation and substitution. The thing is, chaotic time series are highly unpredictable. Still, they may have bias. So the actions of substitution and permutation must be performed through some hashing rules that will break any undnerlying bias in the chaotic time series. Chaotic encryption has some issues of its own to be resolved, the current scientific literature tries to resolve these. One issue is key management, which requires robust chaotic systems to be used (they have chaos everywhere). In the playlist below, I have many videos explaining chaotic encryption, since this is my field of research. You may find them useful. https://www.youtube.com/playlist?list=PL9y6bivP9mhEXxZGThfzyIJEZp5-BakCi